LDAPS Authentication for Nagios Web GUI

0
votes

I am trying to enable LDAPS authentication for my Nagios web GUI (https://localhost/nagios) against Active Directory. I've set this up with LDAP before without much trouble, but LDAPS is a headache. I think my cert is valid since Event Viewer in Active Directory shows what I believe is a successful credential validation. In my browser, after entering username and pwd for AD, it spins for a while and ends up at an Internal Server Error page. None of my logs give me anything useful.

Here's what I've done so far:

  1. nagios.conf - Modified for LDAPS (see below attached file)

  2. ldap.conf - Added the following lines:

    HOST "hostname"
    PORT 636
    TLS_CACERT /etc/httpd/conf.d/rootcert.pem
    TLS_REQCERT never

  3. (FYI, rootcert.pem was created by taking the cert issued by the root CA and converting to pem format):

    openssl x509 -inform der -in rootcert.cer -out rootcert.pem

Here is my nagios.conf. Stuff in [brackets] are edited to not include my real info:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
AuthName "Active Directory Login 1"
AuthLDAPURL "ldaps://[myActiveDirServerName]:636/DC=[dc1],DC=[dc2],DC=[dc3],DC=[dc4]?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=nagiosadmin,OU=[ou1],OU=[ou2],OU=[ou3],DC=[dc1],DC=[dc2],DC=[dc3],dc=[dc4]"
AuthLDAPBindPassword [passwd]
Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
AuthName "Active Directory Login 2"
AuthLDAPURL "ldaps://[myActiveDirServerName]:636/DC=[dc1],DC=[dc2],DC=[dc3],DC=[dc4]?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=nagiosadmin,OU=[ou1],OU=[ou2],OU=[ou3],DC=[dc1],DC=[dc2],DC=[dc3],dc=[dc4]"
AuthLDAPBindPassword [passwd]
Require valid-user
</Directory>

Any help you could provide would be greatly appreciated!

1
apacheldapopenldapnagios

1 Answers

0
votes

SOLVED.

Switched port from 636 to 3269.

Also used a different cert. My host sits in a different network enclave than the AD server so I needed to chain together my PEM-converted intermediate and root certs:

openssl x509 -inform der -in rootcert.cer -out rootcert.pem
openssl x509 -inform der -in intermediateCert.cer -out intermediateCert.pem
cat intermediateCert.pem rootcert.pem > chainedCert.pem
(Then use chainedCert.pem in ldap.conf. Youll need to change the permissions on that cert too)